Q COSTARICA — This Wednesday, the Legislative Assembly approved the ley de estafas bancarias (bank fraud law) designed to strengthen the protection of those who use financial services against the rise in digital theft.
The legislation comes amid increasingly sophisticated electronic fraud, which includes identity theft and manipulation techniques to access bank accounts.
Although the law aims to protect users, it has also generated technical debate.
The Superintendencia General de Entidades Financieras (SUGEF)—General Superintendency of Financial Entities—warned that some aspects could conflict with the Constitution or its supervisory model, while digital law experts emphasize that its implementation will require significant changes in bank operations.
Mauricio París, a partner at ECIJA and a specialist in digital law, points out that the law addresses a real concern, but it will bring regulatory and operational challenges that will need to be resolved in the coming months.
Among the most relevant changes highlighted by the expert are five key points:
- Clear responsibility for banks: Financial institutions will be held accountable for money stolen from accounts by unauthorized third parties, unless they can prove they took all necessary security measures to prevent fraud.
- Formal complaint procedure: Customers now have a specific process for reporting fraud. The complaint must be filed within 30 days, and the bank has another 30 days, extendable by 10, to investigate, evaluating usage patterns, devices, and authentication.
- New role of SUGEF: If a bank rejects a complaint, it must send the resolution and technical evidence to the Superintendency, which will have 10 business days to validate the decision, although there will be no penalty for taking longer.
- Burden of proof in favor of the consumer: In administrative or judicial disputes, the bank will be responsible for demonstrating that it acted with appropriate security and due diligence standards.
- Prevention obligations: Banks must have immediate protocols in place for fraud victims, 24/7 reporting channels, and security standards defined by financial regulations.
“The implementation of the law will depend largely on the technical regulations that must be issued in the coming months and on how the roles of the various institutions involved are coordinated,” said Paris.
Law does not cover credit cards
The new law does not cover credit card fraud. This is one of the main criticisms of the law.
There is confusion regarding credit cards. This law does not apply to credit card fraud, despite some misinterpretations. That is already regulated by other legal frameworks, and it was never the legislator’s intention to include it in this law, according to the promoter of the law, legisaltor Alejandro Pacheco.
The law clearly states that it would only require financial institutions to be responsible ony for transactions linked to bank accounts, including debit cards and Sinpe transactions.
ABC rejects the bank fraud law and warns of legal uncertainty for customers and institutions
The Asociación Bancaria Costarricense (ABC)—Costa Rican Banking Association—reiterated its opposition to the bank fraud law, arguing that the text contains loopholes and creates legal uncertainty for both financial institutions and users.
According to the association, the initiative has generated a false expectation among the public by conveying the idea that banks must automatically refund money in all cases of fraud, something that does not correspond to what is established in the text approved by the legislators.
According to the Association, the text itself includes a specific procedure for analyzing each claim.